The Agent Skills Directory

[PROMPT_INJECTION]: The skill establishes an instruction priority that allows repository-specific files (e.g., AGENTS.md, repo docs) and user instructions to override the skill's own rules. This design facilitates a surface for indirect prompt injection if an attacker places malicious instructions in the files being processed.
Ingestion points: Files including AGENTS.md, CLAUDE.md, and documentation under docs/arc/.
Boundary markers: Absent; the skill does not specify any delimiters or instructions to ignore embedded commands within the ingested content.
Capability inventory: The skill authorizes the use of browser automation tools (Playwright, agent-browser, Chrome MCP) and the execution of scripts located in ${ARC_ROOT}/scripts/.
Sanitization: Absent; the skill provides no guidance on validating or escaping content read from external repository files.
[COMMAND_EXECUTION]: The skill instructs the agent to utilize high-impact tools such as Playwright and agent-browser for automation tasks, and references a scripts directory for runtime operations. These capabilities, while functional, expand the impact of any successful prompt injection by providing the agent with powerful system and network interaction methods.

using-arc